[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
> How can it provide "data origin authentication" in transport mode?
By allowing SA's to have a source address attribute and checking this
on receipt (as suggested by Steve Bellovin a long time ago).
You don't need to include the source address in the hash function if
you do a literal compare between the packet source address and the
source address of the SA.
Solaris's IPsec does this.
- Bill
Follow-Ups:
References: